Bug 143261

Created attachment 249822 [details] GDB Backtrace for the GTK port when running the perft test Speedometer/Full.html (debug built on r182181) Finally I was able to get the test crash with the Debug build. However, the trace I got seems different than the one from the release build. So maybe we are hitting here another bug. In any case, I'm attaching here the GDB backtrace. The relevant part is: Program terminated with signal SIGSEGV, Segmentation fault. #0 WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; #1 0x00007f10346f57e4 in JSC::Heap::writeBarrier (this=0x7f101a0306d8, from=0x7f101a1c4c70) at ../../Source/JavaScriptCore/heap/HeapInlines.h:150 #2 0x00007f102fdfa135 in JSC::ScriptExecutable::installCode (this=0x7f101a1c4c70, genericCodeBlock=0x7f0f854b7720) at ../../Source/JavaScriptCore/runtime/Executable.cpp:199 #3 0x00007f102f75fc45 in JSC::CodeBlock::install (this=0x7f0f854b7720) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2989 #4 0x00007f102f75e44f in JSC::CodeBlock::jettison (this=0x7f0f85338720, reason=JSC::Profiler::JettisonDueToUnprofiledWatchpoint, mode=JSC::CountReoptimization, detail=0x7fff8bdd4ec8) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:3086 The following output was also printed on the screen: $ Tools/Scripts/run-perf-tests --no-show-results --platform gtk --debug Speedometer/Full.html **************************************************** * WARNING: run-perf-tests is running in DEBUG mode * **************************************************** Running 1 tests Running Speedometer/Full.html (1 of 1) error: Speedometer/Full.html ASSERTION FAILED: isMarked(from) ../../Source/JavaScriptCore/heap/HeapInlines.h(150) : void JSC::Heap::writeBarrier(const JSC::JSCell *) 1 0x7f102fffe330 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x20) [0x7f102fffe330] 2 0x7f10346f57e4 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3JSC4Heap12writeBarrierEPKNS_6JSCellE+0x164) [0x7f10346f57e4] 3 0x7f102fdfa135 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC16ScriptExecutable11installCodeEPNS_9CodeBlockE+0x735) [0x7f102fdfa135] 4 0x7f102f75fc45 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock7installEv+0x25) [0x7f102f75fc45] 5 0x7f102f75e44f /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock8jettisonENS_8Profiler14JettisonReasonENS_18ReoptimizationModeEPKNS_10FireDetailE+0x45f) [0x7f102f75e44f] 6 0x7f102f7903c2 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC30CodeBlockJettisoningWatchpoint12fireInternalERKNS_10FireDetailE+0x82) [0x7f102f7903c2] 7 0x7f102f7c7f4f /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC10Watchpoint4fireERKNS_10FireDetailE+0x2f) [0x7f102f7c7f4f] 8 0x7f102f7c7917 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC13WatchpointSet18fireAllWatchpointsERKNS_10FireDetailE+0x57) [0x7f102f7c7917] 9 0x7f102f7c78a6 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC13WatchpointSet11fireAllSlowERKNS_10FireDetailE+0x66) [0x7f102f7c78a6] 10 0x7f102f78bf35 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC13WatchpointSet7fireAllERKNS_10FireDetailE+0x55) [0x7f102f78bf35] 11 0x7f102f78bec8 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC13WatchpointSet10invalidateERKNS_10FireDetailE+0x38) [0x7f102f78bec8] 12 0x7f102f76a1ff /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC21VariableWatchpointSet10invalidateERKNS_10FireDetailE+0x3f) [0x7f102f76a1ff] 13 0x7f102ff45b17 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC21VariableWatchpointSet23finalizeUnconditionallyERKNS_10FireDetailE+0x107) [0x7f102ff45b17] 14 0x7f102ff438fd /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC11SymbolTable17WatchpointCleanup23finalizeUnconditionallyEv+0xfd) [0x7f102ff438fd] 15 0x7f102fb7085d /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC11SlotVisitor31finalizeUnconditionalFinalizersEv+0x5d) [0x7f102fb7085d] 16 0x7f102fb4564b /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC4Heap31finalizeUnconditionalFinalizersEv+0x2b) [0x7f102fb4564b] 17 0x7f102fb47b73 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC4Heap11collectImplENS_13HeapOperationEPvS2_RA1_13__jmp_buf_tag+0x433) [0x7f102fb47b73] 18 0x7f102fb47721 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC4Heap7collectENS_13HeapOperationE+0x81) [0x7f102fb47721] 19 0x7f102fb47624 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC4Heap17collectAllGarbageEv+0x34) [0x7f102fb47624] 20 0x7f1034bd0e2b /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x4031e2b) [0x7f1034bd0e2b] 21 0x7f1034bd0d7e /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore12GCController12gcTimerFiredEv+0x1e) [0x7f1034bd0d7e] 22 0x7f1034bd1722 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt7_Mem_fnIMN7WebCore12GCControllerEFvvEEclIJEvEEvPS1_DpOT_+0x72) [0x7f1034bd1722] 23 0x7f1034bd16a3 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNSt5_BindIFSt7_Mem_fnIMN7WebCore12GCControllerEFvvEEPS2_EE6__callIvJEJLm0EEEET_OSt5tupleIJDpT0_EESt12_Index_tupleIJXspT1_EEE+0x43) [0x7f1034bd16a3] 24 0x7f1034bd1656 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNSt5_BindIFSt7_Mem_fnIMN7WebCore12GCControllerEFvvEEPS2_EEclIJEvEET0_DpOT_+0x26) [0x7f1034bd1656] 25 0x7f1034bd141d /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNSt17_Function_handlerIFvvESt5_BindIFSt7_Mem_fnIMN7WebCore12GCControllerEFvvEEPS4_EEE9_M_invokeERKSt9_Any_data+0x1d) [0x7f1034bd141d] 26 0x7f10343a8eee /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x3e) [0x7f10343a8eee] 27 0x7f10343a8e7c /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore5Timer5firedEv+0x1c) [0x7f10343a8e7c] 28 0x7f1035872b5c /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore12ThreadTimers24sharedTimerFiredInternalEv+0x18c) [0x7f1035872b5c] 29 0x7f1035872889 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore12ThreadTimers16sharedTimerFiredEv+0x19) [0x7f1035872889] 30 0x7f1035044807 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNSt17_Function_handlerIFvvEPS0_E9_M_invokeERKSt9_Any_data+0x17) [0x7f1035044807] 31 0x7f10343a8eee /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x3e) [0x7f10343a8eee] FAILED Finished: 309.366842 s

fpizlo@, ggaren@ any idea about what's going on here? Our perf bot is red and reporting crashes for that test since the revision mentioned by Carlos.

It seems that after enabling FTL it crashes more constantly. The bt is different, though, and it doesn't seem to the main thread the one crashing: [Switching to Thread 0x7fed9effd700 (LWP 26509)] 0x00007fee01d72022 in JSC::SlotVisitor::drain() () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 (gdb) bt #0 0x00007fee01d72022 in JSC::SlotVisitor::drain() () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007fee01d722d7 in JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode) () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007fee01d4c8d0 in WTF::SharedTaskFunctor<void (), JSC::Heap::markRoots(double, void*, void*, __jmp_buf_tag (&) [1])::{lambda()#1}>::run() () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #3 0x00007fee021f760b in WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x00007fee021f83bc in WTF::ParallelHelperPool::helperThreadBody() () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #5 0x00007fee021fbe55 in WTF::threadEntryPoint(void*) () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #6 0x00007fee02227b7a in WTF::wtfThreadEntryPoint(void*) () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #7 0x00007fee010490a4 in start_thread (arg=0x7fed9effd700) at pthread_create.c:309 #8 0x00007fedf8ce506d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

I've been looking at this, and without knowing JavaScriptCore what I've noticed is that Heap::addToRememberedSet() is receiving a JSCell that is not marked and is added to the SlotVisitor m_stack that expects contents to be marked. I have no idea why, since I'm not familiar with JSC.

I'm seeing this crash in EFL perf bot too: Running Speedometer/Full.html (150 of 150) error: Speedometer/Full.html 1 0x7f1a05f74238 2 0x7f1a0617deb0 3 0x7f1a05db48ec JSC::JSPropertyNameEnumerator::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) 4 0x7f1a05adecbf JSC::SlotVisitor::drain() 5 0x7f1a05ad0702 JSC::Heap::markRoots(double, void*, void*, __jmp_buf_tag (&) [1]) 6 0x7f1a05ad3ff6 JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, __jmp_buf_tag (&) [1]) 7 0x7f1a05ad42b8 JSC::Heap::collect(JSC::HeapOperation) 8 0x7f1a05ac5796 JSC::CopiedSpace::tryAllocateSlowCase(unsigned long, void**) 9 0x7f1a05db4a21 JSC::JSPropertyNameEnumerator::finishCreation(JSC::VM&, unsigned int, unsigned int, WTF::PassRefPtr<JSC::PropertyNameArrayData>) 10 0x7f1a05db4e2b JSC::JSPropertyNameEnumerator::create(JSC::VM&, JSC::Structure*, unsigned int, unsigned int, JSC::PropertyNameArray&) 11 0x7f1a05b79526 JSC::propertyNameEnumerator(JSC::ExecState*, JSC::JSObject*) 12 0x7f19a80e81ec FAILED Finished: 100.308614 s It doesn't seem to happen that often for EFL, though.

After r192775 I can't reproduce the crash locally anymore and the GTK perf bot is green, so maybe the WebCore GC timer was causing this somehow.

(In reply to comment #6) > After r192775 I can't reproduce the crash locally anymore and the GTK perf > bot is green, so maybe the WebCore GC timer was causing this somehow. Seems is still happening, not as frequently as before, but it still fails sometimes: https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Release%20%28Perf%29?numbuilds=200 Perhaps there are more than an issue causing this test to fail.

This never failed again after r195537 for GTK+. I'm leaving this open because I don't know if it's still an issue for EFL.

Closing this bug because the EFL port has been removed from trunk. If you feel this bug applies to a different upstream WebKit port and was closed in error, please either update the title and reopen the bug, or leave a comment to request this.